b"Department of Homeland Security\n   2I\xc3\x80FH\x03RI\x03,QVSHFWRU\x03*HQHUDO\n\n\n    Challenges Remain in DHS' Efforts to Secure Control\n\n                         Systems\n\n\n\n\n\nOIG-09-95                                       August 2009\n\x0c\x0cTable of Contents/Abbreviations \n\n\nExecutive Summary .............................................................................................................1\n\n\nBackground ..........................................................................................................................2 \n\n\nResults of Audit ...................................................................................................................4 \n\n\n     Progress Made in Facilitating Control Systems Cybersecurity Awareness...................4 \n\n\n     Improved Information Sharing and Communication Will Enhance Control \n\n     Systems Cybersecurity...................................................................................................5 \n\n     Recommendations..........................................................................................................7                \n\n     Management Comments and OIG Analysis .................................................................8 \n\n\n     Increasing the Number of Vulnerability Assessments Can Reduce Sectors\xe2\x80\x99 \n\n     Risks...............................................................................................................................9 \n\n     Recommendations........................................................................................................11                 \n\n     Management Comments and OIG Analysis ................................................................12 \n\n\n     Specific Performance Measures Should be Defined to Assess Effectiveness \n\n     of CSSP........................................................................................................................13 \n\n     Recommendation .........................................................................................................15                \n\n     Management Comments and OIG Analysis ................................................................15 \n\n\n     Formal Training Program Will Increase Public Awareness and Protection \n\n     Expertise ......................................................................................................................15 \n\n     Recommendations........................................................................................................17                 \n\n     Management Comments and OIG Analysis ................................................................17 \n\n\nAppendices\n     Appendix A:          Purpose, Scope, and Methodology........................................................19\n\n     Appendix B:          Management Comments to the Draft Report ........................................21\n\n     Appendix C:          Major Contributors to this Report .........................................................25 \n\n     Appendix D:          Report Distribution................................................................................26\n\n\x0cTable of Contents/Abbreviations \n\n\nAbbreviations\n  CIKR          Critical Infrastructure and Key Resources\n  CS2SAT        Control System Cyber Security Self-Assessment Tool\n  CSCSWG        Cross-Sector Cyber Security Working Group\n  CSSP          Control Systems Security Program\n  DHS           Department of Homeland Security\n  FY            Fiscal Year\n  GAO           Government Accountability Office\n  HSPD          Homeland Security Presidential Directive\n  ICS-CERT      Industrial Control Systems Cyber Emergency Response Team\n  ICSJWG        Industrial Control Systems Joint Working Group\n  INL           Idaho National Laboratory\n  IT            Information Technology\n  NCSD          National Cyber Security Division\n  NIPP          National Infrastructure Protection Plan\n  NPPD          National Protection and Programs Directorate\n  OIG           Office of Inspector General\n  PSA           Protective Security Advisors\n  SSA           Sector-Specific Agency\n  US-CERT       United States Computer Emergency Readiness Team\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                We reviewed the National Cyber Security Division\xe2\x80\x99s (NCSD)\n                Control Systems Security Program (CSSP) to determine its\n                effectiveness in improving cybersecurity for control systems\n                within the nation\xe2\x80\x99s critical infrastructure and key resources.\n                Control systems are vital to the operation of production systems\n                within factories and plant facilities across the nation. They are\n                used in industries, such as chemical, electric, oil and natural gas,\n                and water and wastewater treatment. A disruption in control\n                system operations may result in the loss of productivity and life,\n                and have a negative impact on the economy and national security.\n\n                NCSD implemented its CSSP to coordinate the cybersecurity\n                efforts for control systems between the public and private sectors.\n                NCSD facilitates cybersecurity information sharing with the public\n                and private sectors through various working groups, issuing white\n                papers, and web postings. In coordination with other leading\n                security organizations, NCSD jointly sponsors and participates in\n                cybersecurity training. NCSD offers online training, via its\n                United States Computer Emergency Readiness Team website, and\n                conducts its own instructor-led training sessions designed to\n                provide information on cyber threats and the mitigation of\n                vulnerabilities. NCSD also performs vulnerability assessments of\n                operational control systems and vendor equipment to improve their\n                security posture.\n\n                While NCSD has made progress in implementing a cybersecurity\n                program for control systems, opportunities still exist for\n                improvements to its CSSP. NCSD needs to encourage more\n                information sharing of critical infrastructures\xe2\x80\x99 needs, threats, and\n                vulnerabilities between the public and private sectors. NCSD\n                should increase the number of cybersecurity vulnerability\n                assessments performed in order to reduce the overall risk to current\n                operational control systems. NCSD should establish enhanced\n                performance measures to ensure its mission and goals are attained\n                as they relate to CSSP. Additionally, NCSD\xe2\x80\x99s education, training,\n                and awareness program should be expanded to improve the public\n\n\n\n                Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                        Page 1\n\x0c             and private sector personnel\xe2\x80\x99s knowledge of control systems\n             cybersecurity.\n\n             We originally proposed 8 recommendations to the Deputy Under\n             Secretary of the National Protection and Programs Directorate\n             (NPPD). Recommendation 7 was removed based on the response\n             received from NPPD. NPPD has already begun to initiate actions\n             to implement the remaining recommendations. NPPD\xe2\x80\x99s response\n             is summarized and evaluated in the body of this report and\n             included, in its entirety, as Appendix B.\n\nBackground\n             The information technology (IT) revolution has changed the way\n             businesses and the public operate. Regardless of security\n             implications, the nation shifted the control of essential processes in\n             manufacturing, utilities, and communications to networked\n             systems. Due to the nation\xe2\x80\x99s reliance on the cyber infrastructure\n             and the daily challenges of cybersecurity, the Department of\n             Homeland Security (DHS) has the lead on coordinating efforts to\n             enhance protection of the critical infrastructure and key resources\n             (CIKR). Terrorists and spies are targeting public and private\n             sector information networks in order to gain competitive\n             advantages and cause disruptions in the nation\xe2\x80\x99s CIKR.\n\n             Approximately 90% of critical infrastructures are privately owned\n             and operated. The nation\xe2\x80\x99s CIKR are composed of public and\n             private institutions in 18 sectors: Agriculture and Food, Banking\n             and Finance, Chemical, Commercial Facilities, Communications,\n             Critical Manufacturing, Dams, Defense Industrial Base,\n             Emergency Services, Energy, Government Facilities, Healthcare\n             and Public Health, IT, National Monuments and Icons, Nuclear\n             Reactors, Materials, and Waste, Postal and Shipping,\n             Transportation Systems, and Water. Control systems operate the\n             production systems in these CIKR sectors.\n\n\n\n\n             Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                     Page 2\n\x0c   Figure 1: Examples of CIKR Sectors\n\n\n\n\n   Initially, control systems had little resemblance to traditional IT\n   systems because they were isolated systems running proprietary\n   protocols using specialized hardware and software. Today, control\n   systems are adopting IT solutions to promote corporate business\n   systems connectivity and remote access capabilities. Control\n   systems that previously used proprietary protocols are becoming\n   Internet Protocol-enabled, which can increase the likelihood of\n   cyber vulnerabilities and incidents.\n\n   According to the Homeland Security Act of 2002, the Secretary of\n   DHS is assigned the responsibility to coordinate the overall\n   national effort to enhance the protection of CIKR. Within DHS,\n   NCSD works collaboratively with public, private and international\n   entities to secure cyberspace and America\xe2\x80\x99s cyber assets. NCSD\n   has two overarching priorities: (1) to build an effective national\n   cyberspace response system; and (2) to implement a cyber risk\n   management program for critical infrastructure protection.\n   Furthermore, NCSD is to provide guidance and methodologies to\n   sectors to assist them in managing cyber risks and to develop\n   effective and appropriate protective plans and measures.\n\n   Although each of the critical infrastructure industries is vastly\n   different, they all have one thing in common \xe2\x80\x93 their dependency on\n   control systems to monitor, control, and safeguard vital processes.\n   NCSD has recognized that the protection and security of control\n   systems is essential to the nation\xe2\x80\x99s security and economy. NCSD\n   established its CSSP to help coordinate cybersecurity efforts\n   among public entities, as well as control systems owners,\n   operators, and vendors. The goal of the program is to lead a\n   cohesive effort between public and private sectors to reduce the\n   risk and improve the security posture of control systems within and\n\n\n\nChallenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                          Page 3\n\x0c                          across all CIKR. Furthermore, NCSD coordinates risk mitigation\n                          activities to reduce the likelihood and severity of successful cyber\n                          attacks against critical control systems.\n\nResults of Audit\n        Progress Made in Facilitating Control Systems Cybersecurity\n        Awareness\n                 NCSD has made progress in broadening awareness about control systems\n                 cybersecurity. NCSD undertook efforts to coordinate protection activities\n                 of critical infrastructure sectors and serve as the focal point for the security\n                 of cyberspace.\n\n                 NCSD conducted exercises in order to demonstrate to control systems\n                 owners the possible effects to their systems as a result of a cyber incident.\n                 One such exercise was the Aurora project which specifically focused on\n                 the use of digital protection control devices. 1 NCSD issued a series of\n                 reports designed to improve cybersecurity by recommending best practices\n                 to address common hardware and software vulnerabilities. NCSD also\n                 partnered with several of the Sector Specific Agencies (SSAs) in preparing\n                 their sector specific roadmaps in addressing control systems cybersecurity\n                 initiatives. Additionally, NCSD established collaborative relationships\n                 with the public and private sectors to facilitate cybersecurity awareness for\n                 the control systems that protect the nation\xe2\x80\x99s CIKR. Other progress\n                 included:\n\n                 x\t   Establishing the CSSP and the hiring of staff to address cybersecurity\n                      issues directly related to control systems. Additionally, a CSSP\n                      analyst assists United States Computer Emergency Readiness Team\n                      (US-CERT) with control systems-related incidents to quickly\n                      coordinate the activities needed to address the event and inform the\n                      public and private sectors.\n\n                 x\t   Establishing working groups within the public and private sectors to\n                      provide resources and forums for organizations to better approach\n                      cybersecurity issues. The working groups assist with the coordination\n                      of control systems cybersecurity initiatives.\n\n\n\n\n1\n  The Aurora project, sponsored by DHS, demonstrated the effect of hacking into a power plant\xe2\x80\x99s control\nstation via computers and digital devices.\n\n\n\n                       Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                                 Page 4\n\x0c                  x\t   Distributing US-CERT vulnerability and critical infrastructure\n                       information notices pertaining to specific vulnerabilities, as well as\n                       quarterly trend and analysis reports to control system representatives. 2\n\n                  x\t   Conducting in-person and online training. Training consists of basic\n                       understanding and awareness of control systems\xe2\x80\x99 security sessions,\n                       intermediate courses for managers and IT professionals, and classes on\n                       common vulnerabilities, as well as vulnerabilities specific to the\n                       energy sector.\n\n                  While progress has been made, NCSD still faces difficult challenges in\n                  effectively reducing the cybersecurity risks to the nation\xe2\x80\x99s critical\n                  infrastructure. Improvements are needed in NCSD\xe2\x80\x99s effort to protect and\n                  secure controls systems that are essential to the nation\xe2\x80\x99s security and\n                  economy.\n\n         Improved Information Sharing and Communication Will\n         Enhance Control Systems Cybersecurity\n                  Though NCSD has made progress in establishing and monitoring\n                  collaborative efforts between the public and private sectors,\n                  communication issues continue to exist. Without the public and private\n                  sectors working together to identify and share critical cyber information,\n                  there is little assurance that critical data will be made available to key\n                  stakeholders in order to prevent, detect, or recover from a cyber incident.\n\n                  In 2007, the Government Accountability Office (GAO) and our office\n                  reported that NCSD needed to improve information sharing and\n                  communications efforts within the control systems community. 3 We\n                  recommended that NCSD develop a strategy for guiding and coordinating\n                  control systems security efforts across public and private sectors. The\n                  strategy was to include a description of various public and private entities\xe2\x80\x99\n                  roles and responsibilities, and mechanisms to improve information sharing\n                  and the dissemination of sensitive information to key cybersecurity\n                  personnel.\n\n                  In response to these recommendations, NCSD drafted its Strategy for\n                  Securing Control Systems, dated December 2008. The primary goal of the\n\n2\n  Vulnerability and critical infrastructure information notices are public warnings describing the nature of\nan identified vulnerability, the software product, its impact, and the solution for correcting the\nvulnerability.\n3\n  GAO-07-1036, Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems are Under\nWay, but Challenges Remain (September 2007) and OIG-07-48, Challenges Remain in Securing the\nNation\xe2\x80\x99s Cyber Infrastructure (June 2007).\n\n\n\n                        Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                                   Page 5\n\x0c                  strategy is to create a common vision for sector participation, information\n                  sharing, coalition building, and leadership to guide stakeholder activities\n                  and improve overall coordination. In the strategy, NCSD encourages the\n                  SSAs to coordinate cybersecurity efforts within their respective sectors.\n                  SSAs are to facilitate and enhance communication within the private\n                  sectors so that information about attack trends, vulnerabilities, and best\n                  practices is shared. Additionally, SSAs are to raise awareness, identify\n                  and remediate vulnerabilities when possible, disseminate sector-specific\n                  threat warnings, and plan recovery operations for the infrastructure.\n\n                  The public and private sectors need information on cyber risks and\n                  hazards so that they can protect CIKR. Sharing control systems security\n                  information is an important element in reducing cyber risks. Information\n                  to be shared includes situational awareness, vulnerability detection and\n                  mitigation, and best practices.\n\n                  Some SSAs, however, expressed concern with NCSD\xe2\x80\x99s leadership role in\n                  the efforts to address cybersecurity and information sharing. Many SSAs\n                  remained dissatisfied with the amount of shared information regarding\n                  vulnerability detection and mitigation. Not only were SSAs unaware of\n                  the latest cybersecurity developments and efforts, in many instances the\n                  SSAs were not informed of the results of cyber control system\n                  vulnerability assessments performed by NCSD or other federal agencies. 4\n\n                  When NCSD performed its vulnerability assessments of private sectors\xe2\x80\x99\n                  control systems, the results were sometimes discussed with private sector\n                  personnel, and excluded the SSAs. In other instances, NCSD attempted to\n                  share the results of vulnerability assessments with the SSAs, but were\n                  prevented from sharing this information because of non-disclosure\n                  agreement restrictions between NCSD and the private sector owners.\n                  Furthermore, SSAs were unaware of cyber control system vulnerability\n                  assessment results that were performed by their regulatory SSA\n                  counterparts, such as the Department of Energy and the Department of\n                  Defense.\n\n                  Homeland Security Presidential Directive - 7(HSPD-7) requires that DHS\n                  and the SSAs collaborate with the appropriate private sector entities and\n                  encourage the development of information sharing and analysis\n                  mechanisms. Information sharing and analysis should relate to physical\n                  and cyber threats, vulnerabilities, incidents, protective measures, and best\n                  practices. Furthermore, The National Strategy to Secure Cyberspace\n\n4\n  NCSD contracts with the Idaho National Laboratory (INL), a federally funded Department of Energy\nnational laboratory that primarily focuses on energy and critical infrastructure security, to perform on-site\ncyber vulnerability assessments of control systems and evaluation of vendors\xe2\x80\x99 new system products.\n\n\n\n                        Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                                    Page 6\n\x0crecommends that DHS coordinate with other federal agencies to share\nspecific warning information and advice about appropriate protective\nmeasures and countermeasures.\n\nIn the past, NCSD did not consistently hold its monthly or quarterly\nworking group meetings with the SSAs to discuss cybersecurity\ndevelopments and their impact on control systems. According to some\nSSA officials, the meetings were held infrequently during the calendar\nyear 2008. The last meeting was held on May 2008 to discuss specific\nvulnerabilities. Since January 2009, NCSD has attempted to improve its\nrelationship with the SSAs and the private sector by conducting monthly\nworking group meetings to discuss cybersecurity efforts. During these\nmeetings, NCSD discussed updates on cybersecurity initiatives and\nactivities, the latest incident reporting by US-CERT, sub-working groups\xe2\x80\x99\nprogress, and upcoming training.\n\nIt is essential that the control systems community receives and is able to\nshare critical information about identified vulnerabilities and reported\nevents so that appropriate steps are taken to reduce the effects of a cyber\nincident. Therefore, the collaborative working groups should establish the\ntrust and credibility needed to encourage open sharing of cybersecurity\nefforts and results. Information sharing also allows the control systems\ncommunity to leverage other protective means used by the public and\nprivate sectors to secure control systems.\n\nRecommendations\n       We recommend that the Deputy Under Secretary of the National\n       Protection and Programs Directorate (NPPD) require NCSD to:\n\n       Recommendation #1: Consistently hold monthly working group\n       meetings to coordinate control systems security efforts and\n       enhance information sharing between the public and private\n       sectors.\n\n       Recommendation #2: Establish alternative measures to reduce\n       the non-disclosure restrictions on sharing control system\n       vulnerability information. Possible alternatives could include the\n       use of anonymity when gathering and reporting vulnerability\n       information among stakeholders including system owners and\n       SSAs.\n\n       Recommendation #3: Hold a joint conference where all affected\n       stakeholders can offer or provide remedy in alleviating\n\n\n\n    Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                              Page 7\n\x0c      prohibitions on sharing vulnerability information among control\n      systems owners.\n\nManagement Comments and OIG Analysis\n      NPPD concurred with recommendation 1. NCSD is already in\n      compliance with this recommendation through a separate means,\n      the Cross-Sector Cyber Security Working Group (CSCSWG)\n      which was established in 2007 and meets monthly to coordinate\n      cybersecurity in CIKR sectors.\n\n      In addition, the NCSD recently established the Industrial Control\n      Systems Joint Working Group (ICSJWG) to coordinate security\n      initiatives specifically associated with CIKR control systems. The\n      ICSJWG meets quarterly and holds semi-annual conferences, but\n      is planning to begin conducting monthly coordination meetings.\n\n      We agree that the steps that NPPD has taken, and plans to take,\n      satisfy this recommendation. This recommendation will remain\n      resolved and open until NPPD provides further updates on the\n      progress of the monthly meetings.\n\n      NPPD concurred with recommendation 2. Non-disclosure\n      agreements will always be necessary for vendor system\n      assessments to protect proprietary information about system\n      configurations and vulnerabilities. NCSD, however, encourages\n      vendors to develop mitigation strategies, to share these strategies\n      with their user base, and to report progress on their mitigation\n      efforts. The Industrial Control Systems Cyber Emergency\n      Response Team (ICS-CERT) publishes security bulletins in\n      cooperation with the US-CERT, but keeps specific information\n      about vendors and event locations confidential. The CSSP also\n      issues an annual report listing common vulnerabilities within\n      control systems associated with CIKR sectors.\n\n      We agree that the steps that NPPD has taken, and plans to take,\n      satisfy this recommendation. This recommendation will remain\n      resolved and open until NPPD provides copies of ICS-CERT\n      security bulletins and the annual report listing common\n      vulnerabilities within control systems associated with CIKR\n      sectors.\n\n      NPPD concurred with recommendation 3. A subgroup devoted to\n      improving information sharing was formed under the auspices of\n\n\n\n   Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                             Page 8\n\x0c              the ICSJWG to address challenges associated with protecting\n              sensitive and proprietary information. This subgroup, called the\n              Information Sharing Subgroup, has developed a charter and will\n              work with the CIKR community to develop a process for\n              improving cybersecurity information sharing among control\n              system stakeholders.\n\n              We agree that the steps that NPPD has taken, and plans to take,\n              satisfy this recommendation. This recommendation will remain\n              resolved and open until NPPD provides a copy of the Information\n              Sharing Subgroup charter and develops the process for information\n              sharing.\n\nIncreasing the Number of Vulnerability Assessments Can Reduce\nSectors\xe2\x80\x99 Risks\n     Without an effective vulnerability assessment program, NCSD cannot\n     develop strategies to mitigate common and sector-specific vulnerabilities.\n     Through INL, NCSD has developed a vulnerability assessment program to\n     reduce cyber risks for control systems and new vendor products. NCSD\n     performs the following two types of assessments:\n\n     x\t   On-site cybersecurity control system vulnerability\n          assessments \xe2\x80\x93 Performed on existing control systems to evaluate the\n          current security posture. NCSD partners with the Protective Security\n          Advisors (PSA) program, under NPPD\xe2\x80\x99s Office of Infrastructure\n          Protection, to perform on-site assessments. NCSD assesses\n          cybersecurity, while the Office of Infrastructure Protection assesses\n          the physical security of the facility.\n\n     x\t   Vendor system assessments \xe2\x80\x93 Focused on building security into\n          hardware and software IT products during development. INL partners\n          with selected vendors to evaluate new control system products for\n          security vulnerabilities. INL uses nonintrusive methods, such as\n          reviewing network diagrams and firewall rules, and performs a\n          hands-on assessment of a duplicate nonproduction installation of the\n          system. INL and the vendors sign a non-disclosure agreement to\n          protect proprietary information and ensure confidentiality.\n\n     NCSD\xe2\x80\x99s on-site vulnerability assessments were performed in 6 of the 18\n     sectors: Chemical, Dams, Energy, Healthcare and Public Health,\n     Transportation, and Water. Vulnerability assessments identify areas of\n     weakness in software, hardware, and operational equipment that are\n     susceptible to destruction, incapacitation, or exploitation by mechanical\n\n\n\n           Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                     Page 9\n\x0cfailures, natural hazards, terrorist attacks, or other malicious acts. As part\nof these assessments, NCSD also determines what actions should be taken\nto mitigate risks.\n\nNCSD tasked cybersecurity experts, such as INL, other national\nlaboratories, and control system companies, to perform vulnerability\nassessments of control systems and network components. Additionally,\nthe cybersecurity experts provide services to mitigate vulnerabilities and\nbuild a security culture within the control systems community. For\nexample, they conduct outreach and awareness programs, develop and\ndisseminate control systems security products, and provide a capability to\nrespond to threats, vulnerabilities, and incidents.\n\nINL also developed the automated Control System Cyber Security\nSelf-Assessment Tool (CS2SAT). INL and the cybersecurity experts use\nCS2SAT to perform on-site vulnerability assessments. The CS2SAT tool\nprovides a series of tests based on recognized security standards within the\ncontrol system community. The tool is designed to identify gaps between\nthe controls implemented on a system and the controls that should be\nimplemented according to standards. Based on the identified gaps,\nrecommendations are made to correct cited weaknesses. INL and the\ncybersecurity experts train private sector personnel on how to use the\nCS2SAT tool so that they can perform self-assessments of their control\nsystems.\n\nNCSD has conducted 11 on-site cybersecurity vulnerability assessments at\nprivate sector sites to date. NCSD discussed identified weaknesses,\nlessons learned, and best practices with the private sector owners. During\nFY 2008, 15 vendor product assessments were performed.\n\nIn its interagency agreement with INL, NCSD did not define its expected\nnumber of on-site and vendor product vulnerability assessments to be\nperformed during FY 2008. For FY 2009, NCSD budgeted for 12 on-site\ncyber assessments to be conducted. NCSD personnel did not yet know\nhow many vendor product assessments would be conducted during FY\n2009.\n\nIn addition to NCSD, other federal agencies, such as the Department of\nEnergy and the Department of Defense, perform control system\nvulnerability assessments. Most of the regulatory SSAs also perform\nperiodic vulnerability assessments using customized assessment tools.\nThe SSAs, however, do not consistently share the results of their\nassessments with the control systems community.\n\n\n\n\n     Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                              Page 10\n\x0cParticipation in NCSD\xe2\x80\x99s vulnerability assessment program is voluntary\nand available to any interested control systems owner. NCSD does not\nhave the authority to require assessments or the implementation of\nrecommendations. As a result, some sectors \xe2\x80\x93 Agriculture and Food \xe2\x80\x93\nhave not had cybersecurity vulnerability assessments performed.\nAccording to NCSD management and the SSAs, cybersecurity is not a\npriority for most control systems owners because the importance of\ncybersecurity or its impact on their systems is not clearly understood.\n\nThe National Infrastructure Protection Plan (NIPP) requires DHS to\nensure that comprehensive vulnerability assessments are performed for\nCIKR. Additionally, the NIPP requires SSAs and security partners to\nfacilitate vulnerability assessment activities within their sectors. SSAs are\nresponsible for working with DHS to validate the results of those\nassessments for assets that are of the greatest concern from the sector\nperspective.\n\nDHS must work with the SSAs and control systems owners, as well as\nother security partners, to identify weaknesses and vulnerabilities in\ncontrol systems. Without effective on-site cybersecurity assessments of\ncontrol systems to identify and mitigate vulnerabilities and risks, critical\ncontrol systems may be at risk of cyber attacks.\n\nOn-site and vendor system assessments allow NCSD to conduct trend\nanalyses of vulnerabilities discovered, which would aid NCSD in\nidentifying events that indicate increasing interest or significant\ndevelopments. Additionally, NCSD should follow up on previously\nconducted assessments to determine the risk reduction of actions taken on\nmitigated vulnerabilities. The follow up program further demonstrates to\nthe public and private sectors that improvements are being made in control\nsystems cybersecurity. With assessment results, NCSD and the SSAs\nwould be in a better position to help inform the control systems\ncommunity of critical security investments that should be made to protect\ntheir systems.\n\nRecommendations\n        We recommend that the Deputy Under Secretary of NPPD require\n        NCSD to:\n\n        Recommendation #4: Increase the number of on-site assessments\n        performed of the CIKR by:\n\n\n\n\n     Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                              Page 11\n\x0c          x   Seeking assistance from the Office of Infrastructure\n              Protection via its PSA Program to perform cyber\n              assessments when they perform physical security\n              assessments.\n\n          x   Encouraging the assistance of the SSAs in performing\n              on-site cybersecurity assessments.\n\n          x   Leveraging partnerships among the various Federal\n              agencies in performing cybersecurity assessments.\n\n          x   Developing incentive programs to encourage participation.\n\n      Recommendation #5: Develop a process to follow-up on the\n      vulnerability assessments performed to obtain feedback on the\n      actions implemented.\n\nManagement Comments and OIG Analysis\n      NPPD concurred with recommendation 4. The CSSP has planned\n      for 12 on-site assessments in its FY09 work scope and agrees that\n      additional assessments should be performed. NCSD works closely\n      with the Office of Infrastructure Protection\xe2\x80\x99s regional PSAs to find\n      asset owners in need of on-site assistance. NCSD also supports the\n      Office of Infrastructure Protection with its Regional Resiliency\n      Assessment Program by providing cybersecurity expertise during\n      on-site assessments. NCSD also works with the SSAs through the\n      ICSJWG to identify specific sector needs and provide support in\n      developing and implementing sector roadmaps to secure control\n      systems. NCSD has already scheduled training workshops for the\n      water sector as that sector rolls out their roadmap. This training\n      will include instruction in the use of the self-assessment tools and\n      offers for on-site assessment support.\n\n      We agree that the steps that NPPD has taken, and plans to take,\n      satisfy this recommendation. This recommendation will remain\n      resolved and open until NPPD provides the 12 assessment trip\n      reports and copies of the training packages for the water sector.\n\n      NPPD concurred with recommendation 5. Currently the vendors\n      that participate in laboratory system assessments provide the\n      program with a plan for developing and implementing mitigation\n      strategies to eliminate the discovered vulnerabilities and share\n      information with their user base.\n\n\n\n   Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                            Page 12\n\x0c             Also, ICS-CERT has provided follow-up actions in cases where\n             the industry has requested assistance for analysis of specific cyber\n             events within their networks. Although it is understood that all\n             responses back to ICS-CERT are voluntary, organizations have\n             responded with acknowledgement that the assistance CSSP has\n             provided was indeed useful to remediate vulnerabilities.\n\n             Lastly, NCSD is developing a process to collect feedback from\n             stakeholders as they apply mitigation strategies through roadmap\n             implementation in each sector. This process will encourage the\n             sectors to collect common vulnerabilities in their security posture,\n             which are discovered during the self-assessment process.\n\n             We agree that the steps that NPPD has taken, and plans to take,\n             satisfy this recommendation. This recommendation will remain\n             resolved and open until NPPD provides a copy of the policy and\n             procedures outlining the follow up process to collect feedback\n             from the stakeholders and a copy of a report log showing\n             ICS-CERT\xe2\x80\x99s follow up efforts.\n\n\nSpecific Performance Measures Should be Defined to Assess\nEffectiveness of CSSP\n     Though performance measures exist, NCSD cannot determine that its\n     CSSP is achieving the intended results and impact without developing\n     sufficient outcome measures. As a result, NCSD will have difficulty in\n     determining how effective its CSSP is in achieving its goal to strengthen\n     control systems security.\n\n     Performance measures indicate whether a program is meeting its goals and\n     whether expected results are being achieved. Furthermore, performance\n     measures address the direct products and services delivered by a program\n     (outputs) and the results of those products and services (outcomes).\n     Outcomes are important as they often describe the intended results or\n     consequences that will occur from carrying out a program or activity.\n\n     NCSD identified the following performance measures to monitor its\n     overall cybersecurity efforts:\n\n     x   Percentage of CIKR sectors that incorporated cybersecurity\n         vulnerability assessments or its questions/concepts into their sector\n         risk assessment methodologies;\n\n\n\n\n          Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                   Page 13\n\x0cx\t   Percentage of targeted beneficiary satisfaction with cybersecurity\n     collaboration events;\n\nx\t   Percentage of high priority stakeholders using CS2SAT to conduct\n     assessments and mitigate known vulnerabilities;\n\nx\t   Number of cybersecurity information sharing products distributed to\n     stakeholders; and\n\nx\t   Cost per incident (in U.S. dollars) reported to US-CERT.\n\nAlthough overall performance measures have been established, NCSD has\nnot identified specific outcome performance measures to monitor CSSP\xe2\x80\x99s\nprogress with control systems cybersecurity. Also, NCSD does not\nmonitor the control systems cybersecurity progress at the sector or\nnational level. Performance measures at the sector and national levels\nallow for comparison and analysis between the different sectors.\n\nCurrently, NCSD\xe2\x80\x99s performance measure for CSSP relates to the number\nof cybersecurity information sharing products distributed to cybersecurity\nstakeholders. This performance measure emphasizes \xe2\x80\x9coutput\xe2\x80\x9d (i.e.,\nnumber of conferences conducted and sponsored, number of training\nsessions conducted and sponsored, and number of major reports issued),\nbut these measures do not evaluate the \xe2\x80\x9coutcome\xe2\x80\x9d of products and\nservices. Outcomes need to measure the effect of training on the control\nsystems community. For example, personnel\xe2\x80\x99s increased cybersecurity\neducation can lead to the use of tools or security assessments to identify\nand mitigate the risks of a control system attack.\n\nAccording to the NIPP, a measure-based system should be used to provide\nfeedback on efforts to attain the goals and supporting objectives of the\nprograms implemented. Measures provide a basis for establishing\naccountability, documenting actual performance, promoting effective\nmanagement, and reassessing goals and objectives. Additionally,\nmeasures offer a quantitative assessment to affirm that specific objectives\nare being met and identify gaps in the national effort or supporting sector\nefforts.\n\nThe Office of Management and Budget requires agencies to prepare an\nannual performance plan covering each program activity set forth in the\nbudget of the agency. In the plan, goals are established to define the level\nof performance to be achieved by the budgeted program activity. In\naddition, performance measures should be objective and quantifiable, and\n\n\n\n\n      Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                               Page 14\n\x0c     should help management by providing information on how resources and\n     efforts should be allocated to ensure program effectiveness.\n\n     By comparing performance to goals, NCSD can modify its strategies to\n     ensure that its mission and objectives are achieved. Additional\n     performance measures will enable NCSD to improve its accountability for\n     control systems security, comply with laws and regulations, and increase\n     the effectiveness of its CSSP.\n\n     Recommendation\n            We recommend that the Deputy Under Secretary of NPPD require\n            NCSD to:\n\n            Recommendation #6: Define specific outcome-based\n            performance measures that can be used to review and periodically\n            evaluate the success of its CSSP in securing the nation\xe2\x80\x99s CIKR.\n\n     Management Comments and OIG Analysis\n            NPPD concurred with recommendation 6. NCSD agrees that\n            additional performance measures should be developed to evaluate\n            progress in securing the CIKR against cyber attacks. The CSSP is\n            currently developing and evaluating new methods for measuring\n            security progress and is working with specific sectors as they\n            include performance measures in their roadmap goals and\n            milestones.\n\n            The CSSP currently collects statistics for the number of\n            participants in the various training courses offered. The program\n            also works closely with vendors as they eliminate discovered\n            vulnerabilities and share information with their user base.\n\n            We agree that the steps that NPPD has taken, and plans to take,\n            satisfy this recommendation. This recommendation will remain\n            resolved and open until NPPD provides a copy of the updated\n            performance measures.\n\nFormal Training Program Will Increase Public Awareness and\nProtection Expertise\n     NCSD has not implemented a formal training program for the control\n     systems community. Without adequate training, control systems owners\n\n\n\n\n         Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                  Page 15\n\x0cmay not be able to handle disruptions in services and ensure business\ncontinuity in the event of a cyber attack or breach.\n\nTraining allows the control systems community to develop and maintain\nkey CIKR protection expertise. It is important that individuals are\nappropriately trained on how to fulfill their security responsibilities.\nFurthermore, training should enhance the knowledge and skills required to\ndetect, deter, defend, and mitigate cyber events, activities, and incidents\nthat threaten the CIKR.\n\nSince NCSD is the focal point for cybersecurity, all 18 critical sectors seek\nguidance from NCSD on how to protect their specific sector against\nvulnerabilities and threats that may directly impact their control systems.\nNCSD contracted with INL to perform training sessions with the CIKR\nsectors. Currently, NCSD\xe2\x80\x99s training program is limited to general control\nsystems security and energy sector-related topics. There is no specialized\ntraining for the other 17 sectors to improve personnel\xe2\x80\x99s capabilities in\nsecuring their control systems.\n\nNCSD is in the process of working with INL to establish a training\nprogram that will include a technical curriculum related to engineering, IT,\nand computer science. They also plan to leverage current training courses.\nHowever, due to staffing issues, it is unknown when the program will be\ncompleted or implemented.\n\nIn developing its training program, NCSD should include operational and\ntechnical topics, such as buffer zone protection, surveillance detection,\nhigh-risk target awareness, incident reporting, and accepted control system\nsecurity practices. NCSD should also work with the SSAs and other\nCIKR partners in developing courses for its formal training program.\n\nThe NIPP stipulates that DHS, in conjunction with the SSAs and other\nCIKR partners, should provide training programs to security partners from\nwhich they can obtain specialized training to enhance critical\ninfrastructure resource protection. Additionally, The National Strategy to\nSecure Cyberspace requires that a national cyberspace security and\ntraining program be developed. According to The National Strategy to\nSecure Cyberspace, DHS must implement and encourage the\nestablishment of programs to advance the training of cybersecurity\nprofessionals. DHS must also develop a coordination mechanism linking\nfederal cybersecurity training programs. The cyberspace training program\nis to raise cybersecurity awareness in companies, government agencies,\nuniversities, and among computer users.\n\n\n\n\n     Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                              Page 16\n\x0cA training program for the control systems community would ensure that\nsituational awareness and the impact of vulnerabilities and threats are\nconveyed so that they can be addressed. By providing the latest advances\nin risk mitigation and best practices, the control systems community can\nimprove the security of their systems, thus, contributing to the overall\nprotection of CIKR.\n\nRecommendations\n       We recommend that the Deputy Under Secretary of NPPD require\n       NCSD to:\n\n       Recommendation #7: Develop specialized training for all CIKR\n       sectors in order to improve public and private sector knowledge of\n       control systems and cybersecurity risks.\n\n       Recommendation #8: Market the availability of formal training\n       courses to the control systems community to stress the awareness\n       of cybersecurity and its importance.\n\nManagement Comments and OIG Analysis\n       NCSD did not concur with recommendation 7. In general, NCSD\n       does not recommend that specialized training for each sector be\n       developed since control system applications and associated\n       vulnerabilities are ubiquitous across all sectors. The current\n       training curriculum already targets multiple sectors with examples\n       of threats and consequences from many industries. Furthermore,\n       control system components are used in every industry to perform\n       the same control functions, irrespective to the process they control.\n       When requested, the program has provided and will continue to\n       develop specialized training for individual sectors to tailor it to\n       their specific processes.\n\n       We agreed to remove this recommendation based on the response\n       provided by NPPD. Additionally, NPPD indicated in its response\n       to recommendation 4 that NCSD is already scheduling training\n       workshops for the water sector.\n\n       NCSD concurred with recommendation 8. NSCD currently\n       operates an extensive marketing effort to multiple sectors to\n       highlights its products and training. This marketing is provided in\n       the form of:\n\n\n\n\n    Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                             Page 17\n\x0c   x     Presentations and keynote address at national and\n         international industry conferences;\n\n   x     Booths at conferences which highlight the program products\n         and training offerings;\n\n   x     Postings on the US-CERT and Control Systems website;\n\n   x     Invitations at ICSJWG and CSCSWG Meetings; and\n\n   x     Invitations to training at on-site assessments.\n\n   NCSD plans to continue efforts to promote training and\n   continuously improve the training curriculum.\n\n   We agree that the steps NPPD has taken satisfy this\n   recommendation. Additionally, NPPD has provided copies of the\n   ICSJWG Inaugural Symposium and the upcoming ISCJWG 2009\n   Fall Conference and Call for Papers, which advertised NCSD\n   training. This recommendation is resolved and closed.\n\n\n\n\nChallenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                         Page 18\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                   The objective of our audit was to determine whether NCSD is\n                   effective in its efforts to improve cybersecurity within the nation\xe2\x80\x99s\n                   critical infrastructure. We determined whether NCSD:\n\n                   x   Is effectively reducing the risk to the nation\xe2\x80\x99s CIKR by\n                       providing guidance to the control system community through a\n                       variety of mechanisms, trends, and methodologies.\n\n                   x   Is properly monitoring collaborative efforts among federal,\n                       states, local and control systems owners, operators, and\n                       vendors.\n\n                   x   Has an incident response procedure in place to provide a level\n                       of assurance that the nation\xe2\x80\x99s control systems would recover\n                       from attacks in a timely manner.\n\n                   Our review focused on NCSD\xe2\x80\x99s program for control system\n                   security based on the requirements outlined in HSPD 7, Critical\n                   Infrastructure Identification, Prioritization, and Protection\n                   (December 2003), NIPP (June 2006), The National Strategy to\n                   Secure Cyberspace (February 2003), National Institute of\n                   Standards and Technology Special Publication 800-53,\n                   Recommended Security Controls for Federal Information Systems\n                   (December 2007), and National Institute of Standards and\n                   Technology Special Publication 800-82, Guide to Industrial\n                   Control System Security (September 2008).\n\n                   We interviewed NCSD and Office of Infrastructure Protection\n                   management, as well as personnel from the INL, including the\n                   program managers and the Cyber Security Assessment Lead.\n                   Furthermore, we interviewed personnel from various sectors,\n                   including Chemical, Commercial Facilities, Dams, Defense\n                   Industrial Base, Energy, Nuclear Reactors, Materials and Waste,\n                   and Water. We received feedback regarding NCSD\xe2\x80\x99s\n                   communication and information sharing, vulnerability\n                   assessments, and cybersecurity concerns.\n\n                   We evaluated the quality of NCSD\xe2\x80\x99s performance measures. We\n                   reviewed vulnerability notes and critical infrastructure information\n                   notices to determine whether US-CERT issued adequate and\n                   timely incident response reports to the control systems community.\n                   We also evaluated the CS2SAT, a questionnaire used to conduct\n\n\n                  Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                         Page 19\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                    cybersecurity assessments, and determined whether security \n\n                    assessments are being performed. \n\n\n                    We conducted our work at the program level and conducted a site \n\n                    visit at INL in Idaho Falls. We conducted this performance audit \n\n                    between December 2008 and April 2009 according to generally \n\n                    accepted government auditing standards. Those standards require \n\n                    that we plan and perform the audit to obtain sufficient, appropriate \n\n                    evidence to provide a reasonable basis for our findings and \n\n                    conclusions based on our audit objectives. We believe that the \n\n                    evidence obtained provides a reasonable basis for our findings and \n\n                    conclusions based on our audit objectives. Major OIG contributors \n\n                    to the audit are identified in Appendix C. \n\n\n                    The principal OIG points of contact for the audit are\n\n                    Frank W. Deffer, Assistant Inspector General, Information \n\n                    Technology Audits, at (202) 254-4041, and Edward G. Coleman, \n\n                    Director, Information Security Audit Division, at (202) 254-5444. \n\n\n\n\n\n                 Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                          Page 20\n\x0cAppendix B\nManagement Comments to the Draft Report\n________________________________________________________________________\n\n\n\n\n                 Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                        Page 21\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                         Page 22\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                         Page 23\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                         Page 24\n\x0cAppendix C\nMajor Contributors to this Report\n________________________________________________________________________\n\n                  Information Security Audit Division\n\n                  Edward G. Coleman, Director\n                  Tarsha Cary, Audit Manager\n                  Pamela Williams, Senior IT Auditor\n                  Charles Twitty, IT Auditor\n                  Amanda Strickler, IT Specialist\n                  Barbara Bartuska, Audit Manager\n                  Matthew Worner, Referencer\n\n\n\n\n                 Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                        Page 25\n\x0cAppendix D\nReport Distribution\n________________________________________________________________________\n\n                  Department of Homeland Security\n\n                  Secretary\n                  Deputy Secretary\n                  Chief of Staff for Operations\n                  Chief of Staff for Policy\n                  Deputy Chief of Staff\n                  Executive Secretary\n                  Assistant Secretary, Legislative Affairs\n                  Assistant Secretary, Policy\n                  Assistant Secretary, Public Affairs\n                  General Counsel\n                  Office of Security\n                  Office of Privacy\n                  Assistant Secretary, Cyber Security and Communications\n                  Chief Information Officer (CIO)\n                  Deputy CIO\n                  Chief Information Security Officer\n                  Director, NCSD\n                  Director, Critical Infrastructure Cyber Protection and Awareness,\n                  NCSD\n                  Director, Control Systems Security Program, NCSD\n                  Director, US-CERT\n                  Information Systems Security Manager, NPPD\n                  Director, Departmental GAO/OIG Liaison Office\n                  Director, Compliance and Oversight Program\n                  Audit Liaison, NPPD\n                  Audit Liaison, DHS/CISO\n                  Audit Liaison, DHS/CIO\n                  Director, Information Security Audit Division (ISAD)\n                  Audit Manager, ISAD\n\n                  Office of Management and Budget\n\n                  Chief, Homeland Security Branch\n                  DHS OIG Budget Examiner\n\n\n\n\n                 Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                        Page 26\n\x0cAppendix D\nReport Distribution\n________________________________________________________________________\n\n                  Congress\n\n                  Appropriate Congressional Oversight and Appropriations\n                  Committees\n\n\n\n\n                 Challenges Remain in DHS\xe2\x80\x99 Efforts to Secure Control Systems\n\n                                        Page 27\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"